to add more info..
i have 3 linux boxes . linux1, linux2 and linux3 - all serves the same website
www.mydomain.com and in-front of them there is a load balancer that
distributes the traffic. so the load balancer holds the front-end ip address
that maps to www.mydomain.com. so everytime the 3 servers replies back, it
gives out the certificate coming from linuxN which makes it invalid ? because
CN -hostname mismatch?
----- Original Message ----
From: fooler mail <[EMAIL PROTECTED]>
To: Philippine Linux Users' Group (PLUG) Technical Discussion List
<[email protected]>
Sent: Monday, April 14, 2008 1:33:17 PM
Subject: Re: [plug] x509
On 4/14/08, Sir June <[EMAIL PROTECTED]> wrote:
>
>
> thanks for the info about CN=*.mydomain.com
>
> what if my server has other domains as well that will use SSL certificates?
> like www.companyA.com and www.companyB.com? and my server's hostname
> still is linux1.mydomain.com.
you have to understand how ssl and apache's virtual hosting work...
ssl is between application layer and transport layer of the OSI
layering model... http is on the application layer.. http uses tcp
that is on the transport layer.. but before it reaches the transport
layer it must pass first on the network layer where the IP address
resides.. http is http over ssl... http by default listens on tcp port
80 while https on tcp port 443..
for https transaction between the client and the server.. before it
reaches the application layer which is the http server... the client
initiates a handshake first with the secure socket layer to obtain a
session key for secure communication.. to obtain a session key.. the
two passes information... that is where the server send its certicate
where expiration date, common name for that actual server name and
others are in there for the client to warn the user if it has an
invalid date, invalid common name etc... your problem last time is
that your CN is www.ourdomain.com where the final destination of your
https server is linuxN.ourdomain.com which invalidate its
certificate... once the session key obtained.. then thats the time for
a normal http transaction begins over a secured channel...
for virtual hosting... there are two kinds of virtual hosting:
name-based and ip-based virtual hosting...
named-based depends on the "host" http header to determined which
virtual host to serve... for different https or ssl certifcates to
serve as what you question above.. you cannot use name-based virtual
hosting because apache cannot determine which host certificate to send
as it didnt see the "host" http header during the handshake as what i
explain above... apache just send the certificate that is first
declared in your virtual host configuration file as its default
certificate..
in order for different ssl certificates to work.. you have to use the
ip-based virtual hosting.. therefore you need lots of unique ip
addresses for this...
> Is the CN and server hostname mis-match pose a high security risk?
yes.. the purpose of CN is to prevent the man-in-the-middle attack technique...
fooler.
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
